[147912] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
daemon@ATHENA.MIT.EDU (Arnold Reinhold)
Thu Oct 31 13:20:58 2013
X-Original-To: cryptography@metzdowd.com
From: Arnold Reinhold <agr@me.com>
Date: Thu, 31 Oct 2013 09:05:15 -0400
To: Cryptography <cryptography@metzdowd.com>
Cc: David Mercer <radix42@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============2461843607636453417==
Content-type: multipart/alternative;
boundary="Apple-Mail=_625C4B00-B5FC-4AB0-84BF-1FD81817D0E6"
--Apple-Mail=_625C4B00-B5FC-4AB0-84BF-1FD81817D0E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
On Mon, 28 Oct 2013 21:05:13 David Mercer wrote
>=20
> Date: Mon, 28 Oct 2013 21:05:13 -0700
> From: David Mercer <radix42@gmail.com>
> To: Philipp G?hring <pg@futureware.at>
> Cc: Alexandre Anzala-Yamajako <anzalaya@gmail.com>, Cryptography
> <cryptography@metzdowd.com>, John Denker <jsd@av8n.com>
> Subject: Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
> Message-ID:
> =
<CADpjbE3P+-d7K3Uc28U1GROkKtrJ299bVyyu-HPQMSoTPXkQrw@mail.gmail.com>
> Content-Type: text/plain; charset=3D"utf-8"
>=20
> On Sun, Oct 27, 2013 at 3:53 PM, Philipp G?hring <pg@futureware.at> =
wrote:
>=20
>> Hmm, if someone is able to run secret opcodes, then we already have
>> local code execution, right? And in this case there might be far more
>> powerful secret opcodes that give ring 0, ring -1 , ... access, and =
we
>> usually have to care about much larger problems than RNG attacks.
>>=20
>=20
> Uhm, yes, if I as an attacker have "ring -1" level access to your
> machine/hypervisor/VM/whatever, you are so toast that I have already
> succeeded, and am not going to give a hoot about attacks on your RNG.
> I can grab all your keystrokes, private keys when used, unencrypted =
data,
> etc.
>=20
> I can't think of ANY threat model in which an attacker would continue
> attacking
> an RNG if they have that. ANY. Disproof by counter-example from =
history or
> the literature appreciated.
>=20
> -David Mercer
The beauty of an RNG attack is that it does not require any =
communications back to the attacker, unlike the other attacks you =
mention. Such back communications can arouse suspicion. And done =
right, an RNG attack does not introduce any insecurity in the attacked =
system that others can exploit. NSA may want to monitor Angela Merkle's =
traffic without making it easier for Russia or China to do so, for =
example.=20
Arnold Reinhold=
--Apple-Mail=_625C4B00-B5FC-4AB0-84BF-1FD81817D0E6
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">On =
Mon, 28 Oct 2013 21:05:13 David Mercer wrote<blockquote =
type=3D"cite">Date: Mon, 28 Oct 2013 21:05:13 -0700<br>From: David =
Mercer <<a =
href=3D"mailto:radix42@gmail.com">radix42@gmail.com</a>><br>To: =
Philipp G?hring <<a =
href=3D"mailto:pg@futureware.at">pg@futureware.at</a>><br>Cc: =
Alexandre Anzala-Yamajako <<a =
href=3D"mailto:anzalaya@gmail.com">anzalaya@gmail.com</a>>,<span =
class=3D"Apple-tab-span" style=3D"white-space: pre;"> =
</span>Cryptography<br><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;"> </span><<a =
href=3D"mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a>>=
;, John Denker <<a =
href=3D"mailto:jsd@av8n.com">jsd@av8n.com</a>><br>Subject: Re: =
[Cryptography] [RNG] on RNGs, VM state, rollback, =
etc.<br>Message-ID:<br><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;"> </span><<a =
href=3D"mailto:CADpjbE3P+-d7K3Uc28U1GROkKtrJ299bVyyu-HPQMSoTPXkQrw@mail.gm=
ail.com">CADpjbE3P+-d7K3Uc28U1GROkKtrJ299bVyyu-HPQMSoTPXkQrw@mail.gmail.co=
m</a>><br>Content-Type: text/plain; charset=3D"utf-8"<br><br>On Sun, =
Oct 27, 2013 at 3:53 PM, Philipp G?hring <<a =
href=3D"mailto:pg@futureware.at">pg@futureware.at</a>> =
wrote:<br><br><blockquote type=3D"cite">Hmm, if someone is able to run =
secret opcodes, then we already have<br>local code execution, right? And =
in this case there might be far more<br>powerful secret opcodes that =
give ring 0, ring -1 , ... access, and we<br>usually have to care about =
much larger problems than RNG attacks.<br><br></blockquote><br>Uhm, yes, =
if I as an attacker have "ring -1" level access to =
your<br>machine/hypervisor/VM/whatever, you are so toast that I have =
already<br>succeeded, and am not going to give a hoot about attacks on =
your RNG.<br>I can grab all your keystrokes, private keys when used, =
unencrypted data,<br>etc.<br><br>I can't think of ANY threat model in =
which an attacker would continue<br>attacking<br>an RNG if they have =
that. ANY. Disproof by counter-example from history or<br>the literature =
appreciated.<br><br>-David Mercer</blockquote><br><div>The beauty of an =
RNG attack is that it does not require any communications back to the =
attacker, unlike the other attacks you mention. Such back =
communications can arouse suspicion. And done right, an RNG =
attack does not introduce any insecurity in the attacked system =
that others can exploit. NSA may want to monitor Angela Merkle's traffic =
without making it easier for Russia or China to do so, for =
example. </div><div><br></div><div>Arnold =
Reinhold</div></body></html>=
--Apple-Mail=_625C4B00-B5FC-4AB0-84BF-1FD81817D0E6--
--===============2461843607636453417==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============2461843607636453417==--
